Cyber Round-up for 6th December
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
An international investigation has led to the closing down of a website known as Imminent Methods. This site has been a hotspot for people looking to buy hacking tools, or more specifically spying tools; the UK’s National Crime Agency (NCA) confirmed that around 14,500 people had purchased such tools from the site. Police have raided over 80 properties around the world in search of the sellers. One of the tools they were selling, known as the Imminent Monitor Remote Access Trojan, gives an attacker complete control of an infected device, allowing them to monitor the victim’s activity, access their webcam and even steal data.
UK based music streaming platform, Mixcloud, has suffered a huge data breach exposing the account details of over 20 million users. The breach, which occurred at the start of November, included the usernames, email addresses and passwords of all users affected; After being stolen by the attacker all of the details were listed for sale on the dark web. Shortly after the breach, the streaming service issued a customer-wide password reset, but initially misled users to avoid announcing the breach; it has now been made clear that this was done to secure the user’s accounts.
A recently discovered trojan known as CStealer has been detected in the wild and has been utilising a remote MongoDB database to stash stolen passwords. The passwords are being stolen from Google Chrome and sent directly to the database where they can be retrieved by the attacker at a later time. This technique allows the attacker to gain access to the stolen credentials. We recommend looking into this and taking a look at the CStealer removal guide included in the post if you believe you may be a victim of this attack.
A new innovative malware campaign has been discovered that appears to be targeting educational and healthcare institutions. What makes this campaign unique is that it utilises a trojanised variant of the popular game Tetris to steal credentials from its victims. This trojan is very advanced and is capable of performing a number of different attacks, including man-in-the-middle, keylogging, web-injection and credential harvesting. This works once the victim has downloaded the trojanised game and executes Cobalt Strike binaries while the application is loading; this also allows the device to communicate with the command and control server
Vulnerabilities & Updates
A recently discovered wiper malware named ZeroCleare has been targeting the energy and industrial sectors in the Middle East. This is believed to be the work of the group APT34, an Iranian cluster of cyber espionage activity. This attack supposedly started in the autumn of 2018 and continued to escalate until summer of 2019 when the attackers used password spraying on the local network to access the accounts and gain administrative access. These kind of wiper attacks are typically intended to destroy infrastructure and disrupt operations and are not interested in stealing data.
A new Android vulnerability has been discovered that is being actively exploited in the wild; the flaw allows phishing overlays and permission requests to be displayed in legitimate applications on an infected device. The flaw has been named StrandHogg and resides in the taskAffinity control setting on all Android devices; root access is not required to exploit this flaw and it was confirmed that all versions of Android are affected by it. Google have announced that they have suspended the potentially harmful applications to help protect users, but still advise caution when receiving notifications and requests.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #70 – 6th December 2019
Ironshare – Security Simplified